ALARMED: Guilty Until Proven Innocent

Recently, Gillette was testing a system in retail outlets in the United States and Britain that would snap a photograph of you every time you lifted a pack of the company's razors from their shelf. Somewhere, Orwell smirked. Maybe Gillette wants to check the closeness of its consumers’ shaves, but more likely, it wants to endear itself to retailers by helping to stop shoplifting. Taking that snapshot of you in case you forget to visit the cashier on your way out, however, is a tacit presumption of your guilt — until you prove your innocence when you pay.

Gillette's "smart shelf" system uses RFIDs (radio frequency identifications), tiny tags that send a radio beacon to a receiver, which tells the camera hidden in the shelf to take the picture. It's the same technology used in toll-booth express lanes and to pay for gas with a dongle.

The system was developed in conjunction with the Auto-ID Center, an organization powered by MIT engineers and corporate funding (from Gillette, Procter & Gamble and Wal-Mart, among others). The Auto-ID Center’s goal is to promote RFID use in every aspect of commerce imaginable. For example, some day, proponents hope, there will be RFIDs in food to prevent bioterrorism. In the meantime, the first RFID applications boost efficiency in the supply chain. With extremely little human intervention, RFIDs can track parts and inventory from point of origin to final destination. And they can detect parts and inventory diverted fraudulently anyplace in between.

The technology itself isn't particularly overwhelming. The tags are basically UPC symbols that don't require contact to "read." All you need is proximity, since the tags transmit the data they hold. What is overwhelming about RFIDs are the economics. The RFID tags are so cheap that Gillette bought 500 million of them earlier this year.

That purchase was a watershed — the legitimisation of the technology. The only limit for RFID applications now is the human imagination. There are plans to put RFIDs in tires and soda cans and sneakers and weave them into clothes. They're on dog collars. And, yes, there are plans to link them to cameras in order to prevent shoplifting. RFIDs do hold a lot of promise — as long as they're not abused.

But avoiding abuse will be a tall order amid the corporate rush to make more money more efficiently, and to create what corporations will say are great consumer benefits (some real, some clearly imaginary). Already, the toddling RFID industry has failed to thoughtfully consider privacy before starting to RFID everything. Some things it did not address before launching some trials:

1. How do consumers who’ve legitimately purchased an item turn off its RFID if they don't want it sending signals?

2. Since RFIDs can be concealed easily, should consumers be told when and where RFIDs are being used?

3. What happens when law enforcement tries to apprehend or prosecute a person based on information from RFID signals intercepted without a warrant?

4. Is RFID use even constitutional?

Sides have lined up in the RFID debate, and rancorously. On one extreme is Katherine Albrecht, a privacy crusader who fears RFIDs and wants them banned. Albrecht makes cogent arguments about possible abuses of RFIDs by corporations — and in truth the industry is not off to a good start. Albrecht said she worked with London's Guardian newspaper on an investigative feature and that, initially, the Tesco retail chain denied that the smart shelf trial existed, but caved when presented with evidence by the reporters. "There are certainly not any privacy concerns" in relation to these tags, a Tesco spokesperson told the Guardian in a breathtaking bit of whistling past the graveyard. Wal-Mart, meanwhile, cancelled a shelf trial in the US in reaction to a rash of negative publicity.

On the other extreme, Gillette, the Auto-ID Center and its other supporters stand opposite the privacy advocates. For them what comes first is using the technology to improve corporate bottom lines by mitigating problematic inefficiencies, like the fact that razor blades are both expensive and easy to filch.

We’re not saying their business rationale is dubious, just the unthinking approach. Couldn’t Gillette have mitigated its risk by reconsidering pricing or packaging or even overall strategy, and not invasive picture-taking? Is the available technology always the appropriate one? It's instructive to note that Gillette hasn't returned calls on the topic.

So the smart shelf was an ill-conceived and horribly executed idea-turned-PR-disaster. But let's give the RFID supporters the benefit of the doubt and say they're just working through this the best they know how. And they’re trying to make up for their previous callousness. The Auto-ID center, according to Mark Roberti, editor of the RFID Journal, plans to announce privacy principles in September. According to Roberti's sources, the three tenets of RFID use will be something like:

1. Consumers will have the right to know that a store is using RFID tags and that a product is using RFID tags.

2. Consumers will have a choice to remove/deactivate tags without cost or penalty.

3. The use of RFIDs will not track individual people so that an RFID reader can't tell it's my shirt on a person who commits a crime.

This is great and positive news if it turns out to be true, and if the industry takes these tenets seriously, something Roberti says must be proven and not assumed. Like Albrecht, Roberti makes cogent arguments. He is thoughtful and truly appreciates the privacy issues involved here. "You don't turn off the Internet because some people abuse it," he says. "You try, through legislation or whatever other means, to minimise the abuse."

But Roberti as much as admits that the smart shelf assumes you've committed a crime until you pay: "This system is saying, 'Let's get a little more suspicious here.' They're taking these pictures for a reason. They're trying to solve a problem. You can argue, if you're Katherine Albrecht, that no company has a right to take your photograph. But then why do they have the right to point a video camera at you when all you've done is enter the store?"

Good question. But I don't think it's rhetorical. Consider this: I'm already being surveilled in my car, and at traffic lights, and in the store parking lot, and when I enter the store, and the whole time I'm in the store. And razor blades are still being stolen so often that Gillette feels like it has to implicitly accuse me of shoplifting. Will one more camera really make fewer razor blades go missing? Can we assume those who are truly motivated to steal razor blades won't find a way to beat this surveillance system, the way they've apparently beaten all of these other ones already in place? Is there any point in adding yet another hammer when 99.9 percent of us aren't nails?

Somewhere, Orwell's laughing.

"Alarmed" is a biweekly column about security and privacy. Look for a new version every other Thursday.

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.